Kissmetrics Blog

A blog about analytics, marketing and testing

Official KISSmetrics Response to Data Collection Practices

I’m Hiten Shah, the CEO of KISSmetrics. First of all, I’d like to thank you for being part of the KISSmetrics community and allowing us to help you make better decisions for your online business. That’s a responsibility that I take very seriously.

Recently there have been articles in the press about KISSmetrics’ use of customer data, followed by two lawsuits. These articles are based entirely on a paper by Ashkan Soltani, who published his paper on the same day that the first lawsuit was filed.

As a company founded on integrity, we were blindsided by these allegations. We take these claims very seriously, and we think it is important for you to have the facts about our company.

Mr. Soltani’s paper significantly distorts our technology and business practices. To set the record straight:

KISSmetrics has never shared any information about a user with any third party.

KISSmetrics does not track users across different websites, nor do we have the ability to do so.

Mr. Soltani’s paper speculates that KISSmetrics tracks customers across websites based on his observation of a shared identifier on different customer websites. This has never occurred. His misinformation appears to result from the fact that we use the same url for all customers to reduce server and bandwidth resources and increase end-user performance, which is critical given our small size. An incidental consequence of this is that the same anonymous identifier was returned externally across multiple websites. However, internally, these identifiers are instantly translated into unique identifiers for each customer, and KISSmetrics has gone to extensive lengths to avoid linking any information from different customers, including segregating each customer’s data in a completely separate database.

Mr. Soltani also claims that it is somehow improper to use any technology other than browser cookies to track website activity. In fact, countless online companies, including other major analytics providers, use a variety of different technologies to provide these services, including the persistent technologies Mr. Soltani targets in his paper.

We take Mr. Soltani’s claims very personally because we designed our company to go above and beyond what other companies are doing to protect user privacy and to avoid any sharing of user information with other websites. One of the key benefits of our service is that we are able to provide critical insights to our customers without aggregating data between customers or sharing their data with third parties, unlike other services.

Although our practices have always been lawful and ahead of industry best practices, we are a small start up, and we want to eliminate any concern or confusion about our business practices. To address any misinformation about our company, we have made the following changes:

KISSmetrics only uses first-party cookies for tracking.

KISSmetrics does not use ETags or any other persistent cookie or object for tracking purposes.

KISSmetrics has added support for the Do Not Track header. We have chosen to implement our Do Not Track in the most stringent possible fashion: preventing KISSmetrics from tracking any information about the user, even within a single session at your site.

KISSmetrics has added a consumer-level opt-out for those who wish to be entirely removed from all KISSmetrics tracking, going well beyond the options that other analytics companies provide.

Finally, a few thoughts about the lawsuits: we are not the first online company to be targeted by a meritless lawsuit, and we will not be the last. The same lawyers who filed these cases have filed dozens of cases around the country against hundreds of publishers, application providers, ad networks and analytics providers. Many of these companies have elected to settle, but when challenged, courts have repeatedly held that these claims have no merit. We believe in the value our company provides to our customers and are going to fight this lawsuit head on. We have every confidence that this case will be dismissed, and that we will be able to move on and continue providing great products to our customers.

We greatly appreciate the support we’ve received from the community across various forums. It’s helped sustain us during this frustrating ordeal, and it has allowed us to remain focused on providing an outstanding product to the online business community. If you have any questions or concerns about any of this, please contact us at: hello@kissmetrics.com

UPDATED: A previous version of this blog post indicated that Mr. Soltani “works closely with the lawyers who filed these cases.” We are advised by plaintiffs’ counsel that that is not correct and that they do not work with Mr. Soltani. Because we want to get the facts 100% correct (unlike those who have sued us), we have removed that language from the blog post. We continue to note, for the record, that the first suit against us was filed the same day that Mr. Soltani’s paper was published, and we further note that a series of previous lawsuits involving “Flash cookies” filed by the same plaintiffs’ lawyers in 2010 relied on another paper authored by Mr. Soltani.

Where Google Analytics Falls Short

They tell you ‘what’. We tell you ‘who’. Find out more in this free guide.

Regarding the statements that “[your] practices have always been lawful” and being a “company founded on integrity”, do you have evidence of legal precedent that ensure your tracking activities were lawful or are you assuming what you did was legal? Do you believe cookie reconstitution is ethical even after a visitor reasonably believes they have taken steps to ensure their privacy?

Shut up Erin. The man wouldn’t have written this article and wouldn’t be taking on a lawsuit if he did have proof that KISSmetrics actions were legal. Did you even read the article or did you only make it through the first paragraph before deciding that was enough to substantiate a pointless and rhetorical complaint?

aren’t you a bit rude? Don’t get me wrong – I am entirely on your side, but such a blog should be able to deal with critical statements in a more polite and professional way. After all, Erin was asking a question that many others might have had as well. Ok, maybe she should have read the whole story before posting her question, but this is not the point. You, as a company that prides itself on its integrity (which I think is great!) should not answer user’s comments by saying “Shut up”. Honestly, I’m quite astonished about this.

I work for IBM and I often read KISSmetrics from my office. Our system wouldn’t allow any unethical tracking of information… so, I know for a fact that KISSmetrics is within the law. IBM has a system that would block the site if it had tracking software or malicious cookies… I wouldn’t be able to view the site from work. So, the lawsuit is unjust!

Some people are just litigious as Oslo said. I think your lawsuit is based on a quick settlement… that’s what they’re hoping. That’s our legal system, bad guys suing good guys.

As a fellow IBMer, I urge you to consider if you might be ignorant of what we filter and what we do not (in fact, as I understand it – and I may be wrong – we filter practically nothing web-based unless its known to relate to malware).

As to “Our system wouldn’t allow any unethical tracking of information”, remember that all systems can fail. We have policies, rules and technology which can help us keep on the right side, but even so bad things could theoretically happen. This is why we also have review processes and why people are encouraged and supported to speak-up when they feel something isn’t right.

If you are planning on using the fact you work for IBM to provide some credibility or to support a given side in this (or indeed in any) story, you should speak with IBM general counsel in your IMT before doing so. You may wish to also read up on the IBM Social Computing Guidelines (which encompass the BCG’s) also. I don’t think your association with our company is particularly relevant to your view on this issue and would personally advise you keep it out of the frame :)

Gosh Alex, perhaps you might have put a filter on your own mouth before making a public embarrassment not only yourself but of your company. God forbid you discreetly might have pulled Susan aside and shown a little respect to her…and yourself. But no…just couldn’t pass up that opportunity to make yourself feel like a big shot, right? So typical.

In your blog post, you state that “These articles are based entirely on a paper by Ashkan Soltani, who works closely with the lawyers who filed these cases, and who published his paper on the same day that the first lawsuit was filed.”

Looking at Mr Soltani’s website, I see that he has consulted for the What They Know series at the Wall Street Journal, and the Federal Trade Commission.

I do not see anything regarding a financial relationship with class action attorneys.

It’s a hard task responding to critics and litigation, especially when privacy and users rights are concerned.

It’s difficult to see what’s going on behind the scenes here- it could be a case of interested parties taking advantage of the courts to ruin the reputation of KISSmetrics, or maybe there is legitimate concerns here- either way it’s good to see a response directly from the source. Thanks, Hiten.

Hiten, I am impressed with your response, in regards to both this public statement and the changes you have made to your analytics product. Kudos to your continued innovation and running a great company.

It’s sad to see how common meritless, malicious suits have become in our litigious society, and how the burden of proof seems to have fallen on the accused, as seen in some of the comments above. The burden of proof properly belongs with the accuser. “Innocent until proven guilty.” Sound familiar?

I have met Hiten on a few occasions and followed his company and posts online and I can say I’m cothenfident that he adheres to the highest standards of personal integrity. I hope this legal matter is resolved so he can return to building his product.

It’s a shame that people tried to penalize you for innovating your industry. Perhaps these lawyers, or Mr. Soltani, himself should give your product a try, and then take a step back and suffer the horrors of setting conversion goals without using button_IDs on Google Analytics.

Well done with a professional, dignified response. Taking the high road here is absolutely the way to earn even more respect and demonstrate your integrity as a company. Good luck guys, keep up the great work.

Someone should suit you guys for making it incredibly confusing to implement your service. Your UI isn’t that good (not sure how you speak about UI at conferences) and your data doesn’t matchup to other analytics platforms like GA or Chartbeat.

Thanks Hiten. KISSmetrics has been essential for improving the usability of our Website. Building a startup that provides such a valuable service is an incredible challenge. As advisors to each other’s companies, I know you are one of the most ethical and helpful people in the startup world.

We are in a sad place when lawyers prey on a startup and founder that is so committed to doing the right thing.

Hiten et. al. – stay strong. It sucks that guy’s misinformation is getting distorted, retransmitted & amplified and you guys are getting hit w/ this frivolous lawsuit. It’s hard to fathom how many collective hours of “barking up the wrong tree” you and your team have saved the entrepreneurial community. For the sake of all web startups I hope the judge realizes what a crock this lawsuit is and how top-notch you guys have conducted yourselves in the face of such low-life bullying behavior.

Hiten and KISSmetrics team – you have supported us over the years and of course you have our support now.

Unfortunately this isn’t uncommon in the world of business. Typically it’s easier and less expensive to settle, but that doesn’t mean it’s the right thing to do. I applaud you guys for standing up for yourselves and your product.

Although I cannot comment on the technology behind kissmetrics’ offering, I have met Hiten on a number of occasions and can comment on his character. He is a completely ethical entrepreneur and I’d be very surprised if anything that kissmetrics does is even close to the ‘borderline’. Glad you are fighting this one.

I agree with a lot of your readers that this lawsuit is baseless. I applaud you for taking the first step and being 100% transparent (so unlike AirBnb). This has the potential to blow up, so please continue to be transparent and it will diffuse over time. Good Luck!
Also, it would be nice if your community of followers sends a personal note to Washington to show how our legal system needs major reform if we are to support startups and encourage hiring in this country. I will voluntaril sign a petition if one exists.

It’s not just the tech world. An ex-coworker hit a man in a wheelchair with her car and killed him. Everyone, including police, said the crash was the fault of the man in the wheelchair. His relatives still sued. The insurance company lawyer said that even though the man was at fault, they would settle the suit for $100,000 because it was cheaper than going to trial.

You were using Etags for user tracking rather than cache control (for which they are intended), yet claim to be ahead of industry best practices. And now you’ve stopped that practice in light of the lawsuits. Haven’t you just admitted that Etag tracking is unethical? If you *do* consider it an ethical use of Etags, why have you now stopped? Why did you choose Etags over cookies in the first place? It’s a blatant misapplication of the technology, and the only advantage of using them rather than cookies is that the end user cannot disable tracking via Etags. And you could have certainly used different URLs for each client’s tracking code, since different URLs can easily point to the same server or even the same resource on that server with no extra overhead. The only disadvantage technically would be that you *couldn’t* track users across your clients’ sites if the URLs were unique to the client, because cookies would then be unique per domain. I’m not going to comment on the character of KISSmetrics employees, but even if they’re the nicest guys in the world, there are (or were) seriously dangerous technical practices inherent to the service.

Thanks to everyone (including Mr. Soltani) for their comments. One of the unfortunate aspects of this situation is that, given the pending litigation, we have been advised by our counsel not to comment further on this matter. We continue to believe we have done nothing wrong and look forward to the opportunity to correct the record and put this matter behind us.

Reading how cookie resurrection and e-tag tracking was implemented I know that the programmers who coded it were very smart. Smart programmers like to discuss how smart they are; “look boss, even if the user does this or that which would break normally tracking my code will still be able to track them”.

Now smart programmers occasionally do dumb things; they get carried away solving a hard problem and sometimes they miss points like “if this code ever gets publicly discussed it is going to generate really negative press and potentially law suits”. Management either did not understand the technology or did not to spot the public relations problem it would lead to. That’s a textbook management failure. In the Darwinian world of business they pulled the tigers tail and took a mauling.

Management did the right thing and withdrew/rewrote the code and is addressing the matter in public forums. It is hard to perceive that there is anything aggravating or evasive in the company response. A lesson to all.

The law suit will try to prove that they knew it was a tiger they were assaulting and that punitive damages are appropriate. Any reasonable person rightly sees that trolling for what it is; the creepy crawls of the business jungle. I hope those bugs crawl back under their rock and life can heal and move on.

So with all your technological/legalese bloviation you did here why is it too taxing to say in plain fricking English how to opt out and where to go to do it, especially as Chad Vavra pointed out that you have no search bar to find it? If everything was ok and legal with the way you were doing things then why did you have to make all these changes? Just answer these questions please or we will have to conclude you are full of it. Thanks.

Also I find it interesting that my name and address along with a google map to my house ended up on Spokeo.com who is a plaintiff in this lawsuit as you can see here

extremetech.com/wp-content/uploads/2011/08/complaint.pdf

not too soon after I visited Kissmetric’s site and blogged about this. I google my name all the time, sometimes as much as every other day, and this site never showed up until after I blogged about this KISSmetrics crap. I am aware that this is all public information anyway and that it can be found on many sites where you can get it for free or pay to get it, but I find it odd that it ended up on Spokeo.com when it did which was right after becoming aware of this controversy and blogging about it. I had to contact them and ask to be taken off. Did this happen because I often go to sites where I have to fill in my name and address for some reason and your cookie bullshit is tracking where I go and what I do?

Also I think I have your crap on my computer as it has been running very, very slow. I also find that stuff I have looked at on one site will pop up in ads on other sites which only recently started happening with such regularity as to be realy noticeable and sort of spooky.

You did answer my email about where the opt out thing is I admit, but like ndrcvrngl I find it about as useless as a nun at an orgy because who is going to implant some cookie of yours on their computer now, and if they do won’t it be deleted every time you clear your cache forcing you to reinstall it every time?

Why you couldn’t put the opt out link where people can find it is beyond me. Why you think it’s ok to implant something undeletable on people’s computers that they can’t get rid of and that effects how their computer runs is also beyond me.

The “opt out” method from this horrible, horrible company’s Zombie Cookies only works if you accept their cookie. It’s like taking “The Number of The Beast.” Hopefully the authorities will break it up, arrest the perpetrators and send them back to whatever Godforsaken Hell spewed them forth.

Follow Us

Article Categories

What is Kissmetrics?

We're more than just a blog! Our online software helps marketers turn analytics into insights that guide decision-making and growth. Kissmetrics is different because it ties every visit on your website to a person – even if they're using multiple devices.